The CCOW Authentication Repository
The CCOW Authentication Repository
- The Authentication Repository enables applications to securely store and retrieve user authentication data. This allows applications to authenticate users without exposing user logon actions and passwords to security risks.
- The Authentication Repository facilitates secure authentication of the applications that are unable to sign on a user only using a logon name. It does not authenticate users. Instead, it provides applications with a means of obtaining the authentication data. An Authentication Repository is created by creating a class that implements the Leadtools.Ccow.IAuthenticationRepository interface.
Single Sign-On (SSO) Authentication
A user can securely access a repository using a single sign-on authentication with User links. User links are an example of secure links. User links enable institutions to designate applications as trusted for user authentication and to implement multiple methods of authentication (e.g. passwords, biometrics, etc.).
The context identity subjects defined for User-Link-enabled applications are User subjects. User subjects are secure subjects designated with authenticated data sets. The context data identifier item for the User subject is the user's sign-on name to an application. Because a user's sign-on name is unlikely to be universally unique, different applications in a context system may identify a single user with different User subject identifier items. Therefore, application-specific suffixes differentiate each item. The User subject is not dependent on any other subject.
When an application sets the user context, the context manager instructs an optional user-mapping agent to map the application-specific logon names for additional logon names known to the agent. The mapping agent uses the application suffix for each of the mapped items to inform the application that the mapped logon name is valid.
Any User-Link-enabled application can be configured to sign on to a context session on a clinical desktop. The implementation-specific configuration of a context manager designates specific applications to perform the logon task. In this situation, the context manager allows only the designated applications to complete context change transactions that change the user subject. The one exception to this rule is that any User-Link-enabled application is allowed to set the user subject to empty to facilitate a user's log-off from all User-linked applications from any User-Link-enabled application. As a result, any User-Link-enabled applications not designated to authenticate users on a particular device should not allow the user to sign onto the application or set the User subject. To sign onto a linked but non-designated application the user must log on to a designated application first. To log onto a non-designated application, a user has to break the link with the common context.
Implementing an Authentication Repository
To implement an Authentication Repository, create a class that implements the IAuthenticationRepository and ISecureBinding interfaces. Consequently, the following methods should be implemented:
- Connect: Enables an application to establish connection with the authentication repository. An application must have a connection before it can set or get user authentication data.
- DeleteAuthenticationData: Enables an application to delete some or all of the authentication data that it previously stored for a particular logon name. Both the logon name and the associated authentication data are deleted.
- Disconnect: Enables an application to disconnect from the authentication repository. An application should disconnect before it terminates.
- GetAuthenticationData: Enables an application to retrieve the authentication data previously stored for a particular user logon name.
- SetAuthenticationData: Enables an application to store authentication data for a particular user logon name in the authentication repository. This method also enables an application to update authentication data for a particular user logon name that it has already stored in the repository.
- InitializeBinding: Enables a bindee (context management component) to initiate the process of establishing a secure binding with another binder (context management component).
- FinalizeBinding: Enables a bindee to finalize the process of establishing a secure binding with a context management component, and enables the bindee to determine which access privileges it has.
- The class implementation is required to be a COM object. As a result, the ComVisibleAttribute is required when declaring the class.
- The LEADTOOLS CCOW Authentication Repository is implemented in the Leadtools.Ccow.Server assembly.